Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
1. A non-transitory machine-readable storage medium storing instructions that upon execution cause a system to: receive a first time parameter value and a second time parameter value; for a given authentication event at a first time between a plurality of devices in a network, identify a set of events, of the plurality of devices, that are temporally related to the given authentication event, wherein the set of events comprises events of a different type from the given authentication event, and wherein the plurality of devices include a first device at which a user or program initiated the given authentication event with a second device, and the identifying of the set of events comprises: defining a first time interval that starts at a time that is the first time less the first time parameter value, and ends at the first time; defining a second time interval that starts at the first time, and ends at a time that is the first time plus the second time parameter value; identifying events of the first device in the first time interval before the first time, and identifying events of the second device in the second time interval following the first time; extract features from the set of events by aggregating event data of the set of events, wherein the aggregating of the event data comprises computing a metric based on the event data; and provide the extracted features to a classifier that detects unauthorized authentication events.
This invention relates to network security, specifically detecting unauthorized authentication events by analyzing temporally related events across multiple devices. The problem addressed is the difficulty in identifying malicious authentication attempts that may appear legitimate when viewed in isolation but can be detected by examining related activities before and after the event. The system receives two time parameter values to define search intervals around a given authentication event occurring at a first time between two devices in a network. The first device initiates the authentication, while the second device is the target. The system identifies a set of events from other devices that are temporally related to the authentication event, including events of different types. This involves defining a first time interval ending at the authentication time and a second interval starting at that time. Events from the first device are analyzed within the first interval (before authentication), and events from the second device are analyzed within the second interval (after authentication). Features are extracted by aggregating event data from these intervals, such as computing metrics from the event data. These features are then provided to a classifier that detects unauthorized authentication events based on the aggregated patterns. The approach improves security by leveraging contextual information from related activities across devices.
2. The non-transitory machine-readable storage medium of claim 1 , wherein the instructions upon execution cause the system to: apply the classifier on the extracted features to determine whether the given authentication event is unauthorized.
The invention relates to a system for detecting unauthorized authentication events in a computing environment. The problem addressed is the need to accurately identify and prevent unauthorized access attempts while minimizing false positives. The system extracts features from authentication events, such as user behavior patterns, device characteristics, and contextual data, to analyze potential security threats. A classifier is then applied to these extracted features to determine whether an authentication event is unauthorized. The classifier is trained to distinguish between legitimate and malicious access attempts based on historical data and known attack patterns. This approach enhances security by dynamically assessing risk in real-time, reducing reliance on static authentication methods. The system improves upon traditional security measures by incorporating machine learning techniques to adapt to evolving threats. The invention ensures robust protection against unauthorized access while maintaining usability for legitimate users. The classifier's decision-making process is based on a combination of static and dynamic features, allowing for comprehensive threat assessment. This solution is particularly useful in environments where authentication events are frequent and varied, such as cloud-based services or multi-factor authentication systems. The system's ability to learn and adapt over time makes it effective against both known and emerging attack vectors.
3. The non-transitory machine-readable storage medium of claim 1 , wherein the instructions upon execution cause the system to: train the classifier using the extracted features and feedback regarding classifications made by the classifier.
This invention relates to machine learning systems for improving classifier performance through iterative training. The system extracts features from input data and uses these features to train a classifier. The classifier makes initial classifications, and feedback on these classifications is collected. The system then retrains the classifier using the extracted features and the feedback to improve accuracy. The feedback may include user corrections, system-generated evaluations, or other performance metrics. The training process involves adjusting the classifier's parameters based on the feedback to refine its decision-making. The system may also include preprocessing steps to prepare the input data for feature extraction and post-processing steps to refine the classifier's output. The iterative training loop allows the classifier to continuously improve over time as more feedback is received. This approach is applicable to various domains where classifier accuracy is critical, such as image recognition, natural language processing, and anomaly detection. The system ensures that the classifier adapts to changing data patterns and user expectations, enhancing its reliability and effectiveness.
4. The non-transitory machine-readable storage medium of claim 1 , wherein the identifying of the set of events comprises identifying events within a time window that includes the first time, the first time interval, and the second time interval.
This invention relates to a system for analyzing event data stored on a non-transitory machine-readable storage medium. The system addresses the challenge of efficiently identifying relevant events within a defined time window for further processing or analysis. The invention involves a method for processing event data, where events are recorded with timestamps indicating their occurrence times. The method includes identifying a set of events that fall within a specific time window. This time window is defined by a first time, a first time interval, and a second time interval. The first time serves as a reference point, while the first and second time intervals extend from this reference point to define the boundaries of the time window. The identified events within this window are then used for subsequent analysis, such as detecting patterns, anomalies, or correlations. The system ensures that only events occurring within the specified time frame are considered, improving the accuracy and efficiency of event-based analysis. This approach is particularly useful in applications like log analysis, network monitoring, and real-time data processing, where time-based event filtering is critical. The invention enhances the precision of event identification by dynamically adjusting the time window based on the given intervals, ensuring that only relevant events are processed.
5. The non-transitory machine-readable storage medium of claim 1 , wherein the extracting of the features further comprises extracting features from the given authentication event.
A system and method for enhancing authentication security by analyzing authentication events to detect anomalies. The technology operates in the domain of cybersecurity, specifically focusing on improving the reliability of authentication processes by identifying suspicious or fraudulent activities. The problem addressed is the increasing sophistication of attacks that bypass traditional authentication mechanisms, such as credential stuffing, brute-force attacks, and session hijacking. These attacks exploit weaknesses in authentication systems, leading to unauthorized access and data breaches. The invention involves a machine-readable storage medium containing instructions for extracting and analyzing features from authentication events to detect anomalies. The system processes authentication events, which include user login attempts, session activities, and other access-related data. By extracting features from these events, the system identifies patterns indicative of malicious behavior, such as unusual login times, multiple failed attempts, or geolocation inconsistencies. The extracted features are then used to generate a risk score, which determines whether the authentication event is legitimate or suspicious. This risk assessment helps in making real-time decisions to block or allow access, thereby enhancing security. The system may also incorporate additional techniques, such as behavioral biometrics or device fingerprinting, to further refine anomaly detection. By continuously monitoring and analyzing authentication events, the system adapts to evolving threats, reducing the likelihood of successful attacks. The overall goal is to provide a robust and adaptive authentication mechanism that minimizes false positives while effectively detecting and mitigating fra
6. The non-transitory machine-readable storage medium of claim 1 , wherein the set of events comprises at least one event selected from among: starting a new process at a device, performing a domain name system (DNS) lookup between devices, a transfer of data between devices, a security event on a device, and a Hypertext Transfer Protocol (HTTP) request event.
This invention relates to cybersecurity monitoring and event detection within a networked system. The technology addresses the challenge of identifying and analyzing security-relevant activities across multiple devices to detect potential threats or anomalies. The system involves monitoring a set of events that occur within a network, where these events are indicative of device interactions, security incidents, or data transfers. The monitored events include the initiation of new processes on a device, DNS lookups between devices, data transfers between devices, security-related incidents on a device, and HTTP request events. By tracking these specific types of events, the system can detect unusual or malicious behavior that may indicate a security breach or unauthorized access. The invention improves upon existing security monitoring solutions by focusing on a defined set of high-risk events that are commonly associated with cyber threats, allowing for more targeted and efficient threat detection. The system may be implemented on a non-transitory machine-readable storage medium, enabling automated analysis and response to detected events. This approach enhances network security by providing real-time visibility into critical activities that could compromise system integrity.
7. The non-transitory machine-readable storage medium of claim 1 , wherein the instructions upon execution cause the system to identify the given authentication event by filtering a plurality of authentication events based on checking for a pattern in the plurality of authentication events.
This invention relates to authentication event processing in computer systems, specifically improving the detection and handling of authentication events by identifying relevant events through pattern recognition. The system operates by analyzing a plurality of authentication events to filter and identify a specific authentication event of interest. The filtering process involves checking for a pattern within the authentication events, which may include temporal patterns, frequency patterns, or other distinguishing characteristics. This allows the system to isolate and process only the relevant authentication events, improving efficiency and accuracy in authentication workflows. The pattern-based filtering may be used to detect anomalies, enforce security policies, or streamline authentication processes by reducing unnecessary processing of irrelevant events. The system leverages machine-readable instructions stored on a non-transitory medium to execute the filtering and identification steps, ensuring reliable and automated operation. This approach enhances security and operational efficiency by focusing on meaningful authentication events while minimizing false positives or irrelevant data processing.
8. The non-transitory machine-readable storage medium of claim 7 , wherein the pattern comprises information indicating a logon access over the network.
A system and method for network security monitoring and analysis involves detecting and analyzing network traffic patterns to identify potential security threats. The system captures network traffic data and processes it to extract patterns indicative of malicious activity. One specific pattern of interest is logon access over the network, which may signal unauthorized access attempts or other security breaches. The system uses machine-readable storage to store these patterns, allowing for automated detection and alerting when such patterns are observed. The stored patterns include metadata that describes the characteristics of logon access events, such as source and destination addresses, timestamps, and authentication methods. By analyzing these patterns, the system can distinguish between legitimate and suspicious logon attempts, enhancing network security. The system may also integrate with other security tools to provide real-time threat detection and response capabilities. This approach improves the efficiency and accuracy of network monitoring by automating the identification of high-risk logon activities.
9. The non-transitory machine-readable storage medium of claim 1 , wherein the aggregating of the event data comprises aggregating event data of events every update time period.
A system and method for processing event data involves aggregating and analyzing event data from multiple sources to generate insights. The system collects event data from various sources, such as sensors, logs, or user interactions, and processes this data to identify patterns, trends, or anomalies. The aggregation of event data occurs at regular intervals, referred to as update time periods, ensuring that data is grouped and analyzed in consistent time-based segments. This periodic aggregation allows for efficient data processing and enables real-time or near-real-time monitoring of events. The system may further include filtering mechanisms to refine the aggregated data, ensuring that only relevant events are considered for analysis. The processed data can then be used for decision-making, predictive modeling, or generating alerts based on predefined thresholds or conditions. The system is designed to handle large volumes of event data efficiently, providing scalable and reliable insights for applications in monitoring, security, or performance optimization.
10. The non-transitory machine-readable storage medium of claim 1 , wherein the aggregating of the event data further aggregates event data of the given authentication event.
The invention relates to a system for processing and analyzing event data, particularly in the context of authentication events within a computing environment. The problem addressed is the need to efficiently collect, aggregate, and analyze event data to enhance security and system monitoring. The invention involves a non-transitory machine-readable storage medium containing instructions that, when executed, perform operations to aggregate event data from multiple sources. This aggregation includes combining event data associated with a specific authentication event, such as login attempts, access requests, or other security-related activities. The aggregated data is then used to detect patterns, anomalies, or potential security threats. The system may also correlate event data from different sources to provide a comprehensive view of authentication activities. By aggregating event data in this manner, the system improves the accuracy and reliability of security monitoring, enabling faster detection and response to suspicious behavior. The invention enhances existing security frameworks by providing a more detailed and integrated analysis of authentication events, reducing false positives and improving overall system security.
11. The non-transitory machine-readable storage medium of claim 1 , wherein the aggregating of the event data comprises calculating at least one selected from among: a count of events, an amount of data of events, a number of packets of events, and a statistical measure computed for events.
The invention relates to data processing systems that aggregate event data for analysis. The problem addressed is the need to efficiently summarize and quantify event data from various sources to enable meaningful analysis. Event data, such as logs, network packets, or system events, often requires aggregation to identify patterns, anomalies, or trends. The invention provides a method to aggregate event data by calculating specific metrics, including the count of events, the total amount of data associated with the events, the number of packets involved, or statistical measures derived from the events. These metrics help in understanding the volume, distribution, and characteristics of the event data. The aggregation process allows for efficient storage, retrieval, and analysis, reducing computational overhead while providing actionable insights. The invention is particularly useful in monitoring systems, security analytics, and performance optimization, where large volumes of event data must be processed and interpreted. By computing these metrics, users can quickly assess the significance of events and make data-driven decisions. The invention ensures that event data is processed in a structured manner, enabling scalable and efficient analysis across different domains.
12. The non-transitory machine-readable storage medium of claim 1 , wherein the set of events is part of a stream of events that are continually processed for application by the classifier and to update the classifier.
A system processes a continuous stream of events using a classifier to apply labels or predictions to incoming data. The classifier is dynamically updated as new events are processed, allowing it to adapt to changing patterns or trends in the data. The events may include structured or unstructured data, such as sensor readings, user interactions, or transaction records. The classifier may be a machine learning model, statistical model, or rule-based system that assigns categories, probabilities, or other outputs to each event. The continuous processing ensures real-time or near-real-time analysis, enabling applications like fraud detection, predictive maintenance, or personalized recommendations. The system may also track performance metrics to assess the classifier's accuracy and trigger retraining or adjustments when performance degrades. The dynamic updating mechanism may involve incremental learning, where the model refines its parameters based on new data without requiring a full retraining cycle. This approach reduces computational overhead while maintaining model accuracy. The system may also handle event streams from multiple sources, integrating and normalizing data before classification. The classifier may be deployed in distributed environments, such as cloud-based or edge computing systems, to ensure scalability and low-latency processing. The continuous learning capability allows the system to adapt to evolving data distributions, improving long-term reliability.
13. The non-transitory machine-readable storage medium of claim 1 , wherein the computing of the metric comprises computing a statistical measure based on the event data.
A system and method for analyzing event data involves processing recorded events to compute a metric that quantifies a specific aspect of the data. The metric is derived by calculating a statistical measure, such as mean, variance, or other statistical indicators, from the event data. This statistical measure provides insights into patterns, trends, or anomalies within the data, enabling improved decision-making or system monitoring. The event data may originate from various sources, including sensors, logs, or user interactions, and the computed metric can be used for performance evaluation, predictive maintenance, or anomaly detection. By applying statistical analysis to the event data, the system enhances the ability to extract meaningful information and derive actionable insights. The method ensures that the computed metric is reliable and accurate, supporting applications in fields such as industrial automation, cybersecurity, and data analytics. The statistical measure is selected based on the nature of the event data and the specific requirements of the analysis, allowing for flexible and adaptable processing. This approach improves the efficiency and effectiveness of event data analysis, leading to better system performance and decision-making.
14. The non-transitory machine-readable storage medium of claim 1 , wherein the first time parameter value and the second time parameter value are adjustable based on machine learning according to past classifications of the classifier.
This invention relates to machine learning-based systems for adjusting time parameter values in a classifier. The problem addressed is the need for dynamic adaptation of time-sensitive parameters in classification systems to improve accuracy over time. The invention involves a non-transitory machine-readable storage medium containing instructions that, when executed, configure a computing device to adjust time parameter values based on past classification results. The system includes a classifier that processes input data and generates classifications, where the accuracy of these classifications is evaluated over time. The first and second time parameter values, which influence the classifier's behavior, are adjusted using machine learning techniques. These adjustments are based on historical classification data, allowing the system to learn and optimize the parameters for better performance. The machine learning model analyzes past classifications to determine optimal time parameter values, ensuring the classifier adapts to changing data patterns. This adaptive approach enhances the system's ability to maintain high accuracy in dynamic environments. The invention improves upon static parameter settings by incorporating continuous learning from classification outcomes.
15. A system comprising: a processor; and a non-transitory storage medium storing instructions executable on the processor to: receive a first time parameter value and a second time parameter value; filter authentication events according to a criterion to identify a given authentication event, wherein the filtering of the authentication events comprises checking the authentication events for a specified pattern, and removing an authentication event of the authentication events not matching the specified pattern to produce a subset of authentication events including the given authentication event at a first time; identify a set of events that are temporally related to the given authentication event, wherein the set of events includes events of a plurality of devices including a first device at which a user or program initiated the given authentication event with a second device, and the identifying of the set of events comprises: defining a first time interval that starts at a time that is the first time less the first time parameter value, and ends at the first time; defining a second time interval that starts at the first time, and ends at a time that is the first time plus the second time parameter value; identifying events of the first device in the first time interval before the first time, and identifying events of the second device in the second time interval following the first time; extract features from the given authentication event and the set of events; and apply a classifier on the extracted features to determine whether the given authentication event is unauthorized.
This system operates in the domain of cybersecurity, specifically for detecting unauthorized authentication events. The problem addressed is the challenge of identifying fraudulent or malicious authentication attempts in real-time by analyzing patterns and contextual data across multiple devices. The system includes a processor and a non-transitory storage medium storing executable instructions. The instructions receive two time parameter values, which define time windows for analyzing events before and after an authentication event. The system filters authentication events to identify a specific event of interest by checking for a specified pattern and removing non-matching events, producing a subset of relevant events. For the identified authentication event, the system then identifies a set of temporally related events from multiple devices. This involves defining two time intervals: one before the authentication event (starting at a time equal to the first time parameter subtracted from the authentication event time) and one after (ending at a time equal to the second time parameter added to the authentication event time). Events from the device where the authentication was initiated and the target device are collected within these intervals. Features are extracted from the authentication event and the related events, which are then processed by a classifier to determine if the authentication event is unauthorized. This approach leverages temporal and contextual data to enhance fraud detection accuracy.
16. The system of claim 15 , wherein the instructions are executable on the processor to: receive feedback regarding the determination made by the classifier on the extracted features; and update the classifier based on the feedback.
The invention relates to a machine learning system for analyzing data, particularly for improving the accuracy of a classifier through feedback. The system processes input data to extract relevant features, which are then analyzed by a classifier to make determinations or predictions. The classifier is trained to recognize patterns in the extracted features and generate outputs based on those patterns. To enhance performance, the system receives feedback regarding the accuracy of the classifier's determinations. This feedback is used to update and refine the classifier, improving its ability to make correct predictions over time. The system may also include a feature extraction module that preprocesses the input data to isolate key characteristics for analysis. The feedback mechanism allows for iterative learning, where the classifier adapts based on user or system-provided corrections, ensuring continuous improvement in classification accuracy. This approach is particularly useful in applications requiring high precision, such as medical diagnostics, fraud detection, or quality control, where accurate classification is critical. The system automates the learning process, reducing the need for manual intervention while maintaining or improving performance.
17. The system of claim 15 , wherein the set of events comprises events of a different type from the given authentication event, wherein the extracting of the features from the given authentication event and the set of events comprises aggregating event data of the given authentication event and the set of events, and wherein the aggregating of the event data comprises computing a metric based on the event data.
This invention relates to a system for enhancing authentication security by analyzing event data to detect anomalies or fraudulent activity. The system monitors and processes authentication events, such as login attempts, along with other related events of different types, to extract and aggregate relevant features. These features are used to compute metrics that help assess the legitimacy of an authentication attempt. By comparing the given authentication event against a broader set of events, the system improves fraud detection accuracy. The aggregation process involves combining event data from multiple sources, allowing for a more comprehensive analysis. The computed metrics provide a quantitative measure of risk, enabling better decision-making in authentication workflows. This approach helps mitigate unauthorized access by identifying patterns or inconsistencies that may indicate fraudulent behavior. The system is designed to work with various types of events beyond authentication, such as transaction logs or user behavior data, to enhance security across different applications. The aggregation and metric computation steps ensure that the analysis is both robust and adaptable to different threat scenarios.
18. A method comprising: filtering, by a system comprising a processor, authentication events according to a criterion to identify a given authentication event having a first time, the filtering reducing an amount of authentication events considered by the system for detecting unauthorized authentication events; receiving, by the system, a first time parameter value and a second time parameter value; identifying, by the system, a set of events that are temporally related to the given authentication event, wherein the set of events includes events of a plurality of devices including a first device at which a user or program initiated the given authentication event with a second device, and the identifying of the set of events comprises: defining a first time interval that starts at a time that is the first time less the first time parameter value, and ends at the first time; defining a second time interval that starts at the first time, and ends at a time that is the first time plus the second time parameter value; identifying events of the first device in the first time interval before the first time, and identifying events of the second device in the second time interval following the first time; extracting, by the system, features from the given authentication event and the set of events by aggregating event data of the given authentication event and the set of events; and providing, by the system, the extracted features to a classifier that detects unauthorized authentication events.
This invention relates to detecting unauthorized authentication events in a system by analyzing authentication events and related device activities. The method filters authentication events based on a criterion to identify a specific event occurring at a first time, reducing the number of events the system must process. The system then receives two time parameter values to define temporal intervals around the first time. A first interval spans from a time before the first time (calculated by subtracting the first parameter value) to the first time itself. A second interval spans from the first time to a time after the first time (calculated by adding the second parameter value). The system identifies events from multiple devices, including the device where the authentication was initiated and the target device, within these intervals. Events from the initiating device are checked in the first interval (before the first time), while events from the target device are checked in the second interval (after the first time). The system then extracts features by aggregating data from the identified authentication event and related events. These features are provided to a classifier that detects unauthorized authentication attempts. The approach improves efficiency by focusing on relevant events and enhances detection accuracy by analyzing contextual device activities around the time of authentication.
19. The method of claim 18 , wherein the set of events comprises events of a different type from the given authentication event, and wherein the aggregating of the event data comprises computing a statistical metric based on the event data.
This invention relates to event-based authentication systems, specifically improving security by analyzing multiple event types to detect anomalies or authenticate users. The method involves collecting event data from a user's interactions with a system, where these events may include different types such as login attempts, transaction requests, or device usage patterns. The system aggregates this event data and computes statistical metrics, such as frequency, timing, or correlation between events, to assess whether the user's behavior aligns with expected patterns. By comparing these metrics against predefined thresholds or historical data, the system can determine whether an authentication event (e.g., a login request) is legitimate or potentially fraudulent. The approach enhances security by leveraging contextual information from diverse event types rather than relying solely on the authentication event itself. This method is particularly useful in detecting sophisticated attacks, such as account takeovers or insider threats, where attackers may attempt to mimic legitimate behavior. The statistical analysis allows for dynamic risk assessment, enabling real-time decision-making to either grant or deny access based on the aggregated event data.
Unknown
March 24, 2020
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.